FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-16-2009, 07:44 PM
Craig White
 
Default {Disarmed} Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> I think not as well. The tactest user has been blown back out. I can
> re-add it from ldif again.
>
> [root@ldap home]# getent passwd | grep example
> [root@ldap home]#
>
> [root@ldap home]# cat /etc/nsswitch.conf | grep -v #
>
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> hosts: files dns
>
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: nisplus
>
> publickey: nisplus
>
> automount: files nisplus
> aliases: files nisplus
>
> [root@ldap home]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> [root@ldap home]# cat /etc/ldap.conf | grep -v #
>
>
> BASE dc=tncionline, dc=net
> URI ldap://MailScanner warning: numerical links are often malicious:
> 127.0.0.1
> port 389
>
> SIZELIMIT 12
> TIMELIMIT 15
> DEREF never
> timelimit 600
> bind_timelimit 600
> bind_policy soft
> idle_timelimit 3600
>
> nss_initgroups_ignoreusers
> pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
> base dc=tncionline, dc=net
> pam_password md5
----
here's a big problem... /etc/ldap.conf

you need to add...(assuming this is where you have People/Groups)

nss_base_passwd ou=People,tncionline,dc=net?one
nss_base_shadow ou=People,tncionline,dc=net?one
nss_base_group ou=Groups,tncionline,dc=net?one

take the space out of base...
base dc=tncionline,dc=net

I'd also add (until you can deal)...
ssl no

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 07:47 PM
Craig White
 
Default {Disarmed} Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> I think not as well. The tactest user has been blown back out. I can
> re-add it from ldif again.
>
----
and by the way... don't waste time trying to authenticate users/groups
that don't exist.

If they don't show up when you give commands like...

getent passwd
getent group

you aren't going to be able to authenticate... the system doesn't see
them. You can't authenticate users that don't exist. Likewise, groups
that don't exist or memberships to groups that don't exist are a
problem.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org